In the world of industrial control systems, even small devices can carry outsized risks when a vulnerability slips through. That's exactly the case with CVE-2023-3643, a serious path traversal issue affecting the CAREL Boss-Mini local supervisor, specifically firmware version 1.4.0 (Build 6221).
This device is a workhorse in commercial refrigeration, cold storage, air conditioning, and building automation setups. It quietly manages compressors, temperature controls, defrost cycles, and alarms. After completing research in mid-2023, it has been discovered that there is a security vulnerability which allows an attacker without authentication to access any file stored on the file system of the device.
The method of attack is simple and requires sending a POST request to the /boss/servlet/document endpoint and using a manipulated path parameter (for example, this could be done through standard directory traversal like ../../../../etc/passwd or even further down in your configuration files). To gain access to a website, the attacker does not have to be logged into the website; they just need to be physically connected to the network. If the server responds with a 200 OK response, then the file contents will be returned in plain text.
Public proof-of-concept code has been available for testing purposes since July 2023, allowing for easy testing and exploitation of the vulnerability. On June 2024, CISA issued an advisory (ICSA-24-172-02) that was given a critical rating (9.8 CVSS v3.1) and (9.3 CVSS v4.0) as published by CISA. What is the effect on us? It allows sensitive information about your computer or device (example: Network Configuration Settings, Default Username/Password, Logs, and Operational Parameters) to be viewed by the attack; therefore the attacker has complete knowledge of what systems he can attack and use that information for attacking those systems.
CAREL, the Italian manufacturer, responded by releasing fixed firmware v1.6.0 and later to close the gap. They credit the find to researchers Werley Ferreira, Anderson Cezar, and João Luz, who reported it responsibly.
For organizations running these controllers (supermarkets, warehouses, hotels, food processing plants), the advice is clear:
1. Inventory your Boss-Mini deployments and check firmware versions right away.
2. Upgrade to v1.6.0 or later ASAP (CAREL provides access to this update through their support portal).
3. In the meantime, increase security: change any default access credentials, enforce the appropriate strength of password policy, restrict web access to authorized static internal networks only (per CAREL security document +030220471).
4. Monitor for any unauthorized traffic trying to access /boss/servlet/document.
Presently (as of January 2026), it does not appear that the Boss-Mini is being used by many attackers in the wild; however, because there are also publicly available patches/exploits for this vulnerability, it cannot be considered a long term risk. These vulnerabilities are an ongoing reminder that OT security is NOT OPTIONAL and that while patching embedded devices may seem inconvenient, the consequences of leaving them exposed are far more severe.
If you are one of the technicians responsible for managing your company's refrigeration/HVAC equipment, I encourage you to take a quick review of the controllers today, one small update now may prevent you from having a much greater headache down the road.
Source: Exploit DB
